Data Protection as a Service December 2023 Newsletter
From Cyber Security Partners Your Trusted Security Partner
Addenbrooke's Hospital Data
Breach
Source: BBC News
Cambridge University Hospitals NHS Foundation Trust has apologised after private information regarding over 22,000 maternity and cancer patients from Addenbrooke’s Hospital, Cambridge was released in two breaches back in 2020 and 2021. Roland Sinker, the chief executive of the trust, said the breaches had “only recently come to light.” Cambridge MP, Daniel Zeichner. has called for a review to prevent future breaches.
The Trust said the first set of details shared
Newsletter Highlights
• Addenbrooke’s Hospital Data Breach
• School Apologises for Sharing Personal Data
• UK’s Top Website Warned to Make Cookie Change
included names, hospital numbers and some medical information identifying women who had terminations and miscarriages – though did not contain home addresses or dates of birth. The second, related to 373 cancer patients on clinical trials, included their names, hospital numbers and some medical information.
"Both were the result of mistakenly including patient information in Excel spreadsheets in response to Freedom of Information Act (FOI) requests." said Mr Sinker.
The first related to data provided about maternity patients in a FOI request via
CSP – DPaaS December 2023
Addenbrooke's Hospital Data
Breach – Cont’d
the “What Do They Know ” website. The website group alerted the trust to the breach and removed the information from their own website. Following this, the trust undertook a review of all (roughly 8,000) FOI requests they responded to in the last 10 years and discovered the second case where patient data was mistakenly contained in a spreadsheet sent in 2021 as part of a FOI response to Wilmington PLC.
Cyber Security Partners’ DPaaS
Information Handling Training can provide this to your users on either a scheduled or ad-hoc basis.
CSP’s advice:
Here is CSP’s advice:
• Develop comprehensive data protection policies outlining how personal information should be handled, stored and shared within the organisation. Ensure employees are aware of the policies and regularly train them on data protection best practices.
• Limit access to personal data to only those employees who require it to perform their duties. Implement strong access controls and regularly review and update user permissions.
• Regularly review, evaluate, and update data protection practices to align with changing regulations and security threats. .
CSP – DPaaS December 2023
School Apologises for Sharing Personal Data
Source: BBC News Essex
Ortu Gable Hall School has apologised for sending an email to parents which listed personal data of 69 pupils being disciplined for bad behaviour. The principle said the email was sent by mistake and asked parents to delete it.
The message included an attachment containing information about pupil special educational needs (SEN) status and free school meal eligibility.
A member of staff sent out a daily notice in the morning but included a behaviour incidents log attachment for the day prior. The message included the names of 69 pupils relating to 74 incidents, children's pupil premium eligibility, and special educational needs (SEN) status, as well as descriptions of the incidents and what action was taken. School principal, Gary Lewis, has apologised to families, and the school contacted the ICO immediately to seek advice.
CSP’s advice:
Here is CSP’s advice:
• Sensitive Data Handling Training – when handling sensitive data, it is vital that the process is not rushed. Staff should be regularly trained on the importance of data handling. CSP's DPaaS Information Handling Training can provide this to your users on either a scheduled or ad-hoc basis.
• Information Handling Training is useful when handling sensitive data. It is vital that the process is performed correctly and so staff should be trained on the importance of data handling. CSP’s DPaaS Information Handling Training can also provide this service.
• Data encryption – This will ensure that the person trying to read the document would have needed to know the key which has been used to encrypt the data, even if it was mistakenly attached to an email.
CSP – DPaaS December 2023
UK's Top Websites Warned to Make Cookie Change
Source: ICO
The Information Commissioner has warned several companies running many of the UK’s most visited websites that they must make changes to comply with data protection law or face enforcement action.
Some websites do not give fair choices to their users regarding whether or not to be tracked for personalised advertising. The ICO has previously issued clear guidance that organisations must make it as easy for users to “Reject All” advertising cookies as it is to “Accept All”. Websites can still display advertising when users reject all tracking, but these ads cannot be tailored to the person browsing.
The ICO will provide an update in January, including details of companies that have not addressed their concerns.
• Build online interfaces around customer’s interests and preferences.
• Help users make effective and informed choices about personal information and put them in control of how it’s used.
• Use designs that have been tested and trialed, ensuring choices are evidence based.
• Comply with data protection, consumer and competition law.
For help implementing data protection services, contact us via:
0113 532 3763 info@csp.partners
Cyber Security Partners Ltd Yorkshire House, Greek Street, LS1 5SH www.csp.partners
CSP – DPaaS December 2023 ICO Guidance